You have access to this content through your organization’s enterprise subscription to the Aviation Week Intelligence Network (AWIN). Would you like to go there now? Your choice will be remembered until you close your browser.

Networked Logistics System Raises Cyber Questions

U.S. marines maintain the F-35 aboard the USS Wasp during operational testing with an ALIS Portable Maintenance Aid.

Advertisement

The global ALIS network represents a significant cyber security challenge. Data shared from an anticipated 3,000 aircraft used by 13 nations may include information that could provide actionable intelligence to an adversary.

In 2012, penetration testers from the U.S. Navy succeeded in gaining access to ALIS. The company "introduced a number of changes into our design and test process as a result of that, and other experiences that we've had," says Streznetcky, "to ensure that we deliver a system that is appropriately designed and tested to protect ourselves from the cyber threat that exists today."

That cyber threat is becoming increasingly sophisticated. According to a presentation at the Farnborough Air Show last year by Ann Mullins, Lockheed's former Chief Information Security Officer, the company was then monitoring "in excess of" 40 different so-called APT (advanced persistent threat) attacks on its own networks, 13 of which had been ongoing since 2006.

The information security industry accepts that an APT using a previously unseen attack vector will remain undetected on a network for, on average, more than six months. The firewall concept, of keeping intruders out, is considered unrealistic: today's cyber defense experts advise network operators to assume that a compromise has occurred, and plan for mitigation and response.

For all its fleet-management benefits, ALIS raises difficult security policy questions. Nations that have invested heavily to protect their data will, at some stage, have to hand over that responsibility for its security.

"For the assets and systems that we own in the Self-Defense Forces, we have a set of [cyber security] policies, and we have a different set of policies for F-35 ALIS," said Maj. Gen. Kazuo Tokito, director of C4 systems for the Japanese Self-Defense Forces, speaking through an interpreter during Defense IQ's Cyber Defense and Network Security conference in London earlier this year. "Lockheed Martin has its own set of policies, and we have our set of policies. I think, going forward, the policy issue is going to be challenging."

It is not clear whether nations can opt not to share certain types of information via ALIS. A spokesperson for the UK's defense ministry told ShowNews that: "ALIS is designed to protect UK sovereign data on dedicated UK servers, only sharing data that benefits the UK and the global F-35 fleet." The spokesperson did not explain whether data determined to be both sovereign and of benefit to the global fleet will be shared over ALIS.

This problem is understood in a wider industry context. In the UK, some systems are in place to help investigate the policy problems and craft solutions.

"The defense industry and governments generate and share sensitive information about capabilities to deliver military effect," says Paul Everitt, chief executive of the UK aerospace and defense industry association, ADS. "They recognize that this data needs to be protected and that protecting this data is very much a shared responsibility."

Everitt points to the UK's Defense Cyber Protection Partnership – which involves government, major defense contractors, and ADS – as a possible route through which policy questions raised by projects such as ALIS could be addressed. One of the Partnership's goals is to develop standards that, Everitt says, "can be mandated by MoD in contracts."

Streznetcky believes that dialogue between the company and partner nations is resolving security policy concerns.

"I think we have very constructive and fruitful dialogue with all the partners on the F-35 program," he says. And the good news is we do have a quite specific and agreed-upon plan for both data security and sharing within the program that is in place.

"The cyber threat is very real, and is at the forefront of everything we do," he continued. "We take the security of the data and information that's contained within the F-35 enterprise extremely seriously. It is the number one priority that we have in delivering this capability."

Follow Us

Search AviationWeek.com

Informa USA, Inc.

We use cookies to improve your website experience. To learn about our use of cookies and how you can manage your cookie settings, please see our Cookie Policy. By continuing to use the website, you consent to our use of cookies.